<html>
<head><meta charset="utf-8"><title>RustSec advisories on crates.io · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20advisories.20on.20crates.2Eio.html">RustSec advisories on crates.io</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="225191376"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20advisories%20on%20crates.io/near/225191376" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20advisories.20on.20crates.2Eio.html#225191376">(Feb 04 2021 at 17:14)</a>:</h4>
<p>There has been some interest in surfacing the RustSec advisory info on <a href="http://docs.rs">docs.rs</a> - this is filed by one of the recent and very active contributors: <a href="https://github.com/rust-lang/docs.rs/issues/1270">https://github.com/rust-lang/docs.rs/issues/1270</a><br>
So far the discussion is leaning towards seeing them surfaced on <a href="http://crates.io">crates.io</a> first, and then <a href="http://docs.rs">docs.rs</a> following suit once that happens.</p>



<a name="225191552"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20advisories%20on%20crates.io/near/225191552" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20advisories.20on.20crates.2Eio.html#225191552">(Feb 04 2021 at 17:15)</a>:</h4>
<p>Looks like the next step is to get in touch with the <a href="http://crates.io">crates.io</a> team, perhaps starting a conversation on the bug tracker or in the chat on the official Discord channel. Is anyone willing to step up and do that?</p>



<a name="225191951"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20advisories%20on%20crates.io/near/225191951" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20advisories.20on.20crates.2Eio.html#225191951">(Feb 04 2021 at 17:18)</a>:</h4>
<p>I already have a backlog (e.g. announcing <code>cargo supply-chain</code> and I'm working on an update for the HTTP clients post), so I'd rather not take on more things to do right now.</p>



<a name="225207872"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20advisories%20on%20crates.io/near/225207872" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20advisories.20on.20crates.2Eio.html#225207872">(Feb 04 2021 at 19:14)</a>:</h4>
<p>I can ask in Discord</p>



<a name="225207915"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20advisories%20on%20crates.io/near/225207915" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20advisories.20on.20crates.2Eio.html#225207915">(Feb 04 2021 at 19:15)</a>:</h4>
<p>also <code>cargo supply-chain</code> eh?</p>



<a name="225208037"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20advisories%20on%20crates.io/near/225208037" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20advisories.20on.20crates.2Eio.html#225208037">(Feb 04 2021 at 19:16)</a>:</h4>
<p>have you checked out in-toto? <a href="https://www.propublica.org/article/solarwinds-cybersecurity-system">https://www.propublica.org/article/solarwinds-cybersecurity-system</a></p>



<a name="225208668"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20advisories%20on%20crates.io/near/225208668" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20advisories.20on.20crates.2Eio.html#225208668">(Feb 04 2021 at 19:21)</a>:</h4>
<p>I was not aware of that! That sounds pretty cool. Are there any docs on how that works, exactly?</p>



<a name="225208724"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20advisories%20on%20crates.io/near/225208724" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20advisories.20on.20crates.2Eio.html#225208724">(Feb 04 2021 at 19:21)</a>:</h4>
<p>Mine is <a href="https://github.com/rust-secure-code/cargo-supply-chain">https://github.com/rust-secure-code/cargo-supply-chain</a>; it's already usable, all it needs is a bit more help text and an announcement.</p>



<a name="225210859"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20advisories%20on%20crates.io/near/225210859" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20advisories.20on.20crates.2Eio.html#225210859">(Feb 04 2021 at 19:35)</a>:</h4>
<p><a href="https://in-toto.io/in-toto/">https://in-toto.io/in-toto/</a></p>



<a name="225210923"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20advisories%20on%20crates.io/near/225210923" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20advisories.20on.20crates.2Eio.html#225210923">(Feb 04 2021 at 19:36)</a>:</h4>
<p>it's mostly a metadata format for how artifacts were built</p>



<a name="225211272"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20advisories%20on%20crates.io/near/225211272" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20advisories.20on.20crates.2Eio.html#225211272">(Feb 04 2021 at 19:38)</a>:</h4>
<p>it'd be interesting to slipstream into Rust binaries</p>



<a name="225211581"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20advisories%20on%20crates.io/near/225211581" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20advisories.20on.20crates.2Eio.html#225211581">(Feb 04 2021 at 19:41)</a>:</h4>
<p>That sounds fairly close to what <a href="https://github.com/Shnatsel/rust-audit">https://github.com/Shnatsel/rust-audit</a> does</p>



<a name="225211757"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20advisories%20on%20crates.io/near/225211757" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20advisories.20on.20crates.2Eio.html#225211757">(Feb 04 2021 at 19:42)</a>:</h4>
<p>The problem with that approach is that a malicious crate can alter the data by using a proc macro or <a href="http://build.rs">build.rs</a> to achieve arbitrary code execution</p>



<a name="225214926"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20advisories%20on%20crates.io/near/225214926" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20advisories.20on.20crates.2Eio.html#225214926">(Feb 04 2021 at 20:05)</a>:</h4>
<p>in that case, in-toto metadata could help you track down which of your build servers was compromised</p>



<a name="225215079"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20advisories%20on%20crates.io/near/225215079" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20advisories.20on.20crates.2Eio.html#225215079">(Feb 04 2021 at 20:06)</a>:</h4>
<p>in a proper deployment, forged metadata doesn't get you anything other than a rejected artifact</p>



<a name="225215159"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20advisories%20on%20crates.io/near/225215159" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20advisories.20on.20crates.2Eio.html#225215159">(Feb 04 2021 at 20:07)</a>:</h4>
<p>the best you can do is compromise a build server and have it produce an artifact with valid metadata</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>